105 lines
2.3 KiB
Plaintext
105 lines
2.3 KiB
Plaintext
|
|
policy_module(cvs,1.2.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type cvs_t;
|
|
type cvs_exec_t;
|
|
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
|
|
role system_r types cvs_t;
|
|
|
|
type cvs_data_t; # customizable
|
|
files_type(cvs_data_t)
|
|
|
|
type cvs_tmp_t;
|
|
files_tmp_file(cvs_tmp_t)
|
|
|
|
type cvs_var_run_t;
|
|
files_pid_file(cvs_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow cvs_t self:process signal_perms;
|
|
allow cvs_t self:fifo_file rw_file_perms;
|
|
allow cvs_t self:tcp_socket connected_stream_socket_perms;
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
allow cvs_t self:capability { setuid setgid };
|
|
|
|
allow cvs_t cvs_data_t:dir create_dir_perms;
|
|
allow cvs_t cvs_data_t:file create_file_perms;
|
|
allow cvs_t cvs_data_t:lnk_file create_lnk_perms;
|
|
|
|
allow cvs_t cvs_tmp_t:dir create_dir_perms;
|
|
allow cvs_t cvs_tmp_t:file create_file_perms;
|
|
files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
|
|
|
|
allow cvs_t cvs_var_run_t:file create_file_perms;
|
|
allow cvs_t cvs_var_run_t:dir rw_dir_perms;
|
|
files_pid_filetrans(cvs_t,cvs_var_run_t,file)
|
|
|
|
kernel_read_kernel_sysctls(cvs_t)
|
|
kernel_read_system_state(cvs_t)
|
|
kernel_read_network_state(cvs_t)
|
|
|
|
corenet_non_ipsec_sendrecv(cvs_t)
|
|
corenet_tcp_sendrecv_all_if(cvs_t)
|
|
corenet_udp_sendrecv_all_if(cvs_t)
|
|
corenet_tcp_sendrecv_all_nodes(cvs_t)
|
|
corenet_udp_sendrecv_all_nodes(cvs_t)
|
|
corenet_tcp_sendrecv_all_ports(cvs_t)
|
|
corenet_udp_sendrecv_all_ports(cvs_t)
|
|
|
|
dev_read_urand(cvs_t)
|
|
|
|
fs_getattr_xattr_fs(cvs_t)
|
|
|
|
auth_domtrans_chk_passwd(cvs_t)
|
|
|
|
corecmd_exec_bin(cvs_t)
|
|
corecmd_exec_sbin(cvs_t)
|
|
corecmd_exec_shell(cvs_t)
|
|
|
|
files_read_etc_files(cvs_t)
|
|
files_read_etc_runtime_files(cvs_t)
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
files_search_home(cvs_t)
|
|
|
|
libs_use_ld_so(cvs_t)
|
|
libs_use_shared_libs(cvs_t)
|
|
|
|
logging_send_syslog_msg(cvs_t)
|
|
|
|
miscfiles_read_localization(cvs_t)
|
|
|
|
sysnet_read_config(cvs_t)
|
|
|
|
mta_send_mail(cvs_t)
|
|
|
|
# cjp: typeattribute doesnt work in conditionals yet
|
|
auth_can_read_shadow_passwords(cvs_t)
|
|
tunable_policy(`allow_cvs_read_shadow',`
|
|
auth_tunable_read_shadow(cvs_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(cvs_t)
|
|
kerberos_read_keytab(cvs_t)
|
|
kerberos_read_config(cvs_t)
|
|
kerberos_dontaudit_write_config(cvs_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(cvs_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(cvs_t)
|
|
')
|